Design, Process, and Review for LANDesk 8.8

Alerting and Monitoring

Overview

Core Side Setup and Configuration Alert.exe Overview System and Server Manager Specific Core Side Alerts Specific Client Side Alerts General Issues

Core Side Setup and Configuration

Differences› In 8.7 System Manager was a separate component

System Manager had it’s own Web Console that was used to configure alerts The Core Server had a separate 32-bit interface to configure alerts for the

core only. Several actions were available: Log, Email, Fax, Page, etc. But most of these

options were largely never used.

› In 8.8 System Manager and the Core interface were combined on the core and a new interface was born: Flash Console All alerting rulesets are now edited through the Flash Console Actions have changed: Intel vPro, Log, Email, Run an application on the core,

Send an SNMP Trap More options for ruleset deployment are available: Add, Remove All, or

Replace.

Core Side Setup and Configuration (Cont.)

Similarities› The same 3 alert requirements are in place.

Alert: What is it you want to alert on? Action: What action(s) do you want to take when the alert happens? Time: When do you want to monitor and alert on the event?

› A System or Server Manager License is still required for most alerts on the client.

› Core side alerts and abilities are basically the same. › Health can be changed for certain alerts

Example: If a device can no longer be detected with a PING then it’s icon in inventory can be changed to “critical” and will have a red bang icon next to it. Once the device comes back online the health status returns to normal.

Core Side Setup and Configuration (Cont.)

Core Side Setup and Configuration (Cont.)

Core Side Setup and Configuration (Cont.)

Core Side Setup and Configuration (Cont.)

Alerting Configuration Process› Configure the alert› Save the alert ruleset› Publish the alert ruleset› Distribute the alert ruleset to clients

Core Side Setup and Configuration (Cont.)

Distributing Alerts: › Alerting rulesets need to be saved and published before distribution can take

place.› Alertsync.exe is called and a pull takes place

Core Side Setup and Configuration (Cont.)

Core Side Setup and Configuration (Cont.)

Email› Common mistakes and problems

Multiple % symbols are used. %%D=%D where as %D = Description Incorrect spaces % space D Variables are used somewhere besides Subject and Body

› Log files Alertservice.log

› C:\Progam Files\LANDesk\ManagementSuite› This log will display the exact command sent to the email server. This can help with

formating. Sendemail.log

› C:\Program Files\LANDesk\ManagementSuite› This log will report errors when communicating with the email server

Alert.exe Overview

Alert.exe is like a subsystem. Various applications call alert.exe with command line parameters about what alert they want logged. › Alert.exe references the ruleset XML files for details about the

alert. › Alert.exe attempts to transmit the alert to the core or in the case

of a core side alert it’s logged in the database. › If the core server or the inventory server is busy then the alert is

saved as an XML file in a queue folder. Alert Queue folders reside on the client and core. After a short period of time alert.exe or alertservice.exe (core server) will check the queue and process the alert.

Alert.exe Overview (Continued)

What calls alert.exe?› Services

LDINV32 (Core Inventory Server), Vulscan, etc.

› Providers LDmemory.exe LDdrives.exe LDapplication.exe Etc.

Alert.exe Overview (Continued)

Alert.exe Overview (Continued) http://clientnameORIP:9595/ldclient/ldprov.cgi/index

Alert.exe Overview (Continued) LDMemory (addremovememorymonitor)

Core Side Alerts

What alerts are available on the core? › A detailed list is contained in the core alert ruleset› Device Monitoring

Sends a ping to a device and will alert when a device is not responsive. Configured in two pieces

› What devices to monitor? › Configuration of the actual alert. Note: This alert is enabled by default in 8.8 SP2 with a log action

This ability should be limited to important servers as it uses the same system as Agent Discovery and can interfere if too many pings are going out too rapidly. Many devices can be monitored but the entire inventory shouldn’t be monitored.

Monitoring of this alert relies on PING and therefore DNS etc.

Core Side Alerts (Continued)

Device Monitoring› Configure – Services Menu on the core

Core Side Alerts (Continued)

Inventory Changed Alert› Alerts when a pre-selected inventory item has changed since the

last inventory scan. › Configured in two spots

Inventory History (to select what inventory items to monitor) Inventory Changed Alert itself

Core Side Alerts (Continued)

Inventory Changed Alert› Configure – Inventory History on the core› Inventory = Logs changes in the devices Inventory History Diaglog› NT Log = Logs changes in the NT Event Log› Alert = Send an alert

Core Side Alerts (Continued)

Client Side Alerts

What alerts are available for the client? › All alerts are listed in the LDMS Default Ruleset› Some alerts are configured in other locations

Example: Security and Patch has an “alert” group. If a definition is discovered on a particular device then an alert can be fired to show that device as needing the patch in the alert group

Logs› Most client logs are reported in C:\Program Files\LANDesk\

Shared Files\

Client Side Alerts (Continued)

Example client alert: Service Monitoring› This alert is part of the Server Manager add-on. › The alert fires when a previously specified service is started or

stopped. › Process Walkthrough…

System and Server Manager

System Manager› Designed for desktop systems and interacting with general

hardware Can alert on memory, hard drive space, CPU usage, etc.

Server Manager› Designed for server class systems with added hardware chipsets

and sensors. IPMI alerting capabilities for temperature, fan speeds, etc. Enhanced alerting (which includes all System Manager Alerts)

› Example: The ability to alert when a service has started or stopped.

General Issues

Log’s Tab fails to display any results or an Application Error occurs while loading the Tab. › Cause:

Too many alerts logged in the Alert Log table

› Resolution: http://community.landesk.com/support/docs/DOC-5036 Resolution involves removing records from the Alertlog Table

in the database and then configuring clients so that the “Agent Started” alert is not triggered.

“Management Agent Started” Alert› Designed for System Manager to update the health status.

General Issues

An Email Action is configured and the alert is logged at the core but an email is not received. › Cause:

Email authentication was changed in 8.8 and by default doesn’t allow Plain Authentication.

› Resolution: Enable Plain Authentication by changing the “NonExtended” database entry in

the AlertEmail Table from “0” to “1” for each configured Email Alert Action. http://community.landesk.com/support/docs/DOC-2849

General Issues

Troubleshooting email configuration› Email Servers can vary

Sendemail.exe performs a “fire and forget” action› Using “helo” and “ehlo”

Some type of authentication is needed on the email server. http://community.landesk.com/support/docs/DOC-2687 SMTP mail uses a reserved port number (25) to handle the protocol. SMTP servers can accept un-authenticated

mail or they may impose a variety of user/password schemes. In order to invoke authentication, the SMTP server must accept extended commands. So instead of using the HELO command to start an SMTP session, the EHLO (Extended HELO) command is used. Authentication is only available in the Extended SMTP case. Here is an example of both the HELO and EHLO commands submitted to an SMTP server:

 

General Issues

When selecting Alerting in the 32-bit console some of the rulesets are missing› Cause: Server or System Manager wasn’t installed on the core

when the core was initially configured. Some alerts are designed for the enhanced capability of Server or System

Manager. If these components are not installed then some rulesets will be missing

› Resolution: None. Unless Server or System Manager is desired. These rulesets can be added later with the help of the following document: http://community.landesk.com/support/docs/DOC-2775

General Issues

Sometimes when using the “Inventory Change Alert” to alert when a specific inventory item has changed the Node/Name appears blank› Cause:

The inventory server processes the alert and calls alert.exe with all of the alert information added as part of the command line. This is accomplished while the scan is being processed and before it’s recorded in the database. During this process the node is checked in the database which appears blank when the scan is received from a new device.

› Resolution: An escalation is filed to change this behavior in the future. For now any alerts

received in this state simply indicate that the scan came from a new device.

Further Questions/Contact Information

Name: John Trafelet, PSE Console Email: john.trafelet@landesk.com